Packet Capture - Tied to L4 Data

triggers

#1

Is it possible to capture specifically RST packets?

User is complaining of sporadic HTTP disconnects and not super reproducible. Is there a way to have the appliance automatically capture RST packets? even better if we can narrow it to src and/or dst IPs


#2

I took the trigger suggested above and used a little formatting kung-fu to make it look pretty.

if (HTTP.isReqAborted) { 
    //limit packet capture 
    var opts { maxpackets = 100 }; 
    Flow.captureStart("HTTP req aborted",opts); 
} else if (HTTP.isRspAborted) { 
    //limit packet capture 
    var opts = { maxpackets = 100 }; 
    Flow.captureStart("HTTP response aborted",opts); 
}

And, I added else to the second if as a minor little performance enhancement. :slight_smile:


#3

You are probably looking for something under FLOW_CLASSIFY like isAborted

I believe this is what you can use when a RST is sent to the client.


#4

Use TCP_CLOSE and check TCP.isReset, for example:

if (TCP.isReset) {
    Flow.captureStart("reset");
}

#5

By applying the trigger to only the specific source/web server of interest, you can capture RST packets only on that source. Further, since the issue is random HTTP disconnects, you can also use if (HTTP.isReqAborted) { //limit packet capture var opts { maxpackets = 100 }; Flow.captureStart(“HTTP req aborted”,opts); } if (HTTP.isRspAborted) { //limit packet capture var opts = { maxpackets = 100 }; Flow.captureStart(“HTTP response aborted”,opts); }


#6

I actually end up using flow_classify and using tcp.isAbort.
Below’s the code snippet.

if (TCP.isAborted) {
//limit packet capture 
var opts = {
maxPackets: 200,    
maxPacketsLookback: 100
}; Flow.captureStart("Rst",opts); }

However I can’t for the life of me, figure out how to source a IP. I would like to narrow down the results. Also it doesn’t seem to capture the entire conversation. I don’t see the beginnings of the syn, syn/ack, ack. Is there no way to capture that entire conversation?


#7

When you say “source a IP” do you mean pick a specific IP? To find the IP address 1.2.3.4, you would use something like:

if ( Flow.client.ipaddr == "1.2.3.4" ) { . . .

(and, change client to server if you want to isolate a specific server)

As for capturing SYN / ACK, that has been added to the 5.0 firmware which is up on the support portal now.

One final thought. You mentioned that your trigger fires on FLOW_CLASSIFY. This event happens when ExtraHop determines what protocol is in play. If you are looking for Aborted connections, you may want to fire on TCP_CLOSE, which fires when a connection shuts down.

And, if you are looking for connection issues, looking for isAborted is one avenue of investigation. Another tool is isExpired which indicates one side of the conversation simply “walked away” without closing the connection.